Hashtopolis vs Hashview vs Hashcat: Self-Hosted Password Security Auditing Guide 2026

Organizations that self-host their own infrastructure need a reliable way to audit password strength across their systems. Whether you’re a penetration tester running assessments, a security team validating password policies, or a sysadmin checking for weak credentials in your user database, self-hosted password auditing tools give you full control over sensitive data.

This guide compares three leading options for self-hosted password security auditing in 2026: Hashtopolis (distributed cracking management), Hashview (web-based analytics platform), and standalone Hashcat (the industry-standard GPU-accelerated tool).

Why Self-Host Password Auditing Tools

Running password security audits on external cloud services or third-party platforms exposes sensitive hash data to networks outside your control. Self-hosting ensures that:

• Hash data never leaves your network — password hashes and cracked results stay on-premises
• Full control over GPU resources — dedicate your own hardware without usage-based billing
• Compliance requirements — meet regulatory mandates that forbid sending credential data to external services
• Custom rule and mask sets — build organization-specific dictionaries and attack strategies
• Integration with internal tooling — connect to your SIEM, ticketing, and reporting systems

For teams that regularly audit Active Directory, LDAP, or application database passwords, having a persistent cracking platform with a web interface dramatically improves workflow over running standalone CLI commands.

Hashtopolis: Distributed Cracking Management Platform

Hashtopolis is an open-source distributed password cracking management platform designed specifically for coordinating Hashcat across multiple machines. It provides a web-based interface for creating, assigning, and monitoring cracking jobs across a fleet of agents.

Key Stats (as of April 2026):

• GitHub Stars: 1,738
• Last Updated: April 23, 2026
• Architecture: PHP backend with MySQL, separate frontend and agent components
• License: GPL-3.0

Hashtopolis Architecture

Hashtopolis uses a three-tier architecture:

1. Backend Server — manages the database, job queue, and API
2. Frontend — Angular-based web interface for users and administrators
3. Agent — lightweight client that runs on cracking nodes, pulls jobs from the server, and executes Hashcat

The architecture supports horizontal scaling: you can add dozens of cracking agents across different machines, each with different GPU configurations, and Hashtopolis distributes work chunks automatically.

Deploying Hashtopolis with Docker Compose

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

version: '3.7'
services:
  hashtopolis-backend:
    container_name: hashtopolis-backend
    image: hashtopolis/backend:latest
    restart: always
    volumes:
      - hashtopolis:/usr/local/share/hashtopolis:Z
    environment:
      HASHTOPOLIS_DB_USER: hashtopolis
      HASHTOPOLIS_DB_PASS: strongpassword123
      HASHTOPOLIS_DB_HOST: db
      HASHTOPOLIS_DB_DATABASE: hashtopolis
      HASHTOPOLIS_ADMIN_USER: admin
      HASHTOPOLIS_ADMIN_PASSWORD: adminpassword123
      HASHTOPOLIS_APIV2_ENABLE: true
    depends_on:
      - db
    ports:
      - 8080:80

  db:
    container_name: hashtopolis-db
    image: mysql:8.0
    restart: always
    volumes:
      - db:/var/lib/mysql
    environment:
      MYSQL_ROOT_PASSWORD: rootpassword123
      MYSQL_DATABASE: hashtopolis
      MYSQL_USER: hashtopolis
      MYSQL_PASSWORD: strongpassword123

  hashtopolis-frontend:
    container_name: hashtopolis-frontend
    image: hashtopolis/frontend:latest
    environment:
      HASHTOPOLIS_BACKEND_URL: http://hashtopolis-backend:8080
    restart: always
    depends_on:
      - hashtopolis-backend
    ports:
      - 4200:80

volumes:
  db:
  hashtopolis:

To deploy:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# Save the compose file and launch
docker compose -f docker-compose.yml up -d

# Access the frontend at http://localhost:4200
# API backend available at http://localhost:8080

# On each cracking agent, download and configure the agent
wget https://github.com/hashtopolis/agent/releases/latest/download/hashtopolis-agent.zip
unzip hashtopolis-agent.zip
python3 hashtopolis-agent.py --url http://your-server:8080

Hashtopolis Key Features

• Chunk-based job distribution — large hash lists are split into manageable chunks assigned to agents
• Real-time progress tracking — monitor cracks-per-second, ETA, and completion percentage per agent
• Pre-configured attack modes — dictionary, brute-force, mask, hybrid, and rule-based attacks
• Pretask support — run preprocessing steps (e.g., rule generation) before cracking begins
• File import/export — upload wordlists, rules, and hash files through the web interface
• Multi-user access control — role-based permissions for administrators, managers, and operators
• API v2 — REST API for integrating with ticketing systems, SIEM platforms, and automation pipelines

Hashview: Web-Based Cracking Analytics

Hashview is a web front-end for password cracking that focuses on analytics and reporting. Unlike Hashtopolis which emphasizes distributed job management, Hashview provides a centralized dashboard for tracking cracking results, generating reports, and managing wordlists and rules.

Key Stats (as of April 2026):

• GitHub Stars: 391
• Last Updated: February 17, 2026
• Architecture: Python/Flask backend with MySQL, web-based interface
• License: AGPL-3.0

Deploying Hashview with Docker Compose

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

services:
  app:
    build: .
    platform: linux/amd64
    links:
      - db
    ports:
      - "5000:5000"
    depends_on:
      db:
        condition: service_healthy

  db:
    image: "mysql:8-debian"
    platform: linux/amd64
    restart: always
    cap_add:
      - SYS_NICE
    environment:
      MYSQL_DATABASE: hashview
      MYSQL_USER: hashview
      MYSQL_PASSWORD: hashview
      MYSQL_RANDOM_ROOT_PASSWORD: yes
    ports:
      - '3306:3066'
    volumes:
      - db:/var/lib/mysql
    healthcheck:
      test: ["CMD", "mysqladmin", "ping", "-h", "localhost"]
      timeout: 20s
      retries: 10

volumes:
  db:
    driver: local

To deploy:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

# Clone the repository
git clone https://github.com/hashview/hashview.git
cd hashview

# Build and start containers
docker compose up -d --build

# Access the web interface
# http://localhost:5000

# Default credentials: admin / admin
# Change immediately after first login

Hashview Key Features

• Analytics dashboard — visualize cracking progress with charts and statistics
• Result persistence — cracked passwords are stored and searchable across sessions
• Report generation — export findings in CSV, PDF, and JSON formats for compliance reporting
• Wordlist management — upload, organize, and prioritize wordlists with usage statistics
• Rule management — maintain a library of Hashcat rules with preview functionality
• Multi-format hash support — NTLM, bcrypt, SHA-256, LM, MD5, and 300+ hash types
• Lightweight deployment — simpler architecture than Hashtopolis, easier to set up for small teams

Standalone Hashcat: The Industry Standard

Hashcat is the world’s fastest and most advanced password recovery utility. While Hashtopolis and Hashview are management platforms built on top of Hashcat, the standalone CLI tool remains the most widely used option for individual security professionals and small teams.

Key Stats (as of April 2026):

• GitHub Stars: 25,868
• Last Updated: February 20, 2026
• Architecture: C-based, supports CPU, GPU (NVIDIA, AMD, Intel), and FPGA acceleration
• License: MIT

Installing Hashcat

On Ubuntu/Debian:

1
2
3
4
5

sudo apt update
sudo apt install hashcat

# Verify installation and GPU detection
hashcat -I

Running via Docker (NVIDIA GPU required):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

# Pull the official hashcat image
docker pull hashcat/hashcat

# Run with GPU access
docker run --rm --gpus all \
  -v $(pwd)/hashes:/hashes \
  -v $(pwd)/wordlists:/wordlists \
  hashcat/hashcat \
  -m 1000 /hashes/ntlm.txt /wordlists/rockyou.txt \
  --status --status-timer 30

# Common attack examples:
# Dictionary attack against NTLM hashes
hashcat -m 1000 hashes.txt rockyou.txt

# Rule-based attack with best64 rules
hashcat -m 1000 hashes.txt rockyou.txt -r rules/best64.rule

# Mask attack (brute-force with known pattern)
hashcat -m 1000 hashes.txt -a 3 ?u?l?l?l?l?l?l?d?d?d

# Hybrid attack (dictionary + mask)
hashcat -m 1000 hashes.txt -a 6 rockyou.txt ?d?d?d?d

Hashcat Key Features

• 350+ optimized hash algorithms — NTLM, bcrypt, SHA series, LM, Kerberos, RAR, ZIP, 7z, and more
• Multiple attack modes — dictionary, combination, brute-force mask, hybrid, and rule-based
• GPU acceleration — leverages NVIDIA CUDA, AMD OpenCL, and Intel GPU architectures
• Distributed mode — native distributed cracking without a management server (limited compared to Hashtopolis)
• Session management — pause, resume, and restore cracking sessions
• Benchmarking — benchmark your hardware against specific hash types with hashcat -b

Feature Comparison

Which Tool Should You Choose?

Choose Hashtopolis if:

• You operate multiple cracking machines across your infrastructure
• You need centralized job management and real-time monitoring
• Your team requires role-based access control
• You want API integration with other security tools
• You run large-scale password audits (millions of hashes)

Choose Hashview if:

• You prioritize analytics and reporting over distributed management
• You need exportable reports for compliance documentation
• You want a simpler deployment with fewer moving parts
• Your team is small (1-5 users)
• You value cracked password searchability across sessions

Choose Standalone Hashcat if:

• You’re a solo security professional
• You have a single powerful cracking machine
• You prefer CLI workflows and automation via scripts
• You need the fastest possible cracking without management overhead
• You want the simplest possible setup with zero infrastructure

Security Best Practices for Self-Hosted Auditing

When running password security auditing tools, follow these operational security guidelines:

Network Isolation: Place your cracking platform on an isolated management VLAN. Never expose the web interfaces to the public internet — always use a reverse proxy with IP allowlists.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

# Nginx reverse proxy configuration for Hashtopolis
server {
    listen 443 ssl;
    server_name cracking.internal.yourdomain.com;

    ssl_certificate /etc/ssl/certs/cracking.crt;
    ssl_certificate_key /etc/ssl/private/cracking.key;

    # Restrict to internal networks only
    allow 10.0.0.0/8;
    allow 172.16.0.0/12;
    allow 192.168.0.0/16;
    deny all;

    location / {
        proxy_pass http://127.0.0.1:4200;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

Hash File Handling: Treat hash files as sensitive data. Encrypt them at rest, transmit them over internal encrypted channels only, and securely delete them after audits are complete.

1
2
3
4
5

# Encrypt hash files at rest
gpg --symmetric --cipher-algo AES256 /path/to/hashes.txt

# Secure deletion after audit completion
shred -vfz -n 7 /path/to/hashes.txt

Agent Security: Hashtopolis agents communicate with the backend server over HTTP by default. Tunnel this traffic through SSH or add TLS termination at a reverse proxy:

1
2
3
4
5

# SSH tunnel for agent-to-backend communication
ssh -L 8080:localhost:8080 user@hashtopolis-server -N

# Agent connects to localhost:8080 instead of server:8080
python3 hashtopolis-agent.py --url http://localhost:8080

Access Control: Enforce strong authentication on all web interfaces. Hashtopolis supports API keys for agent authentication — use them instead of basic auth for agent registration.

Performance Considerations

Password cracking performance depends primarily on your GPU hardware. Here are reference benchmark results for common hash types on modern hardware:

With Hashtopolis distributing work across multiple agents, you can achieve near-linear scaling. Ten RTX 4090 machines cracking NTLM hashes in parallel can test over 1 trillion passwords per second against a single hash list.

For related security tooling, check out our vulnerability management platform comparison and network scanning tools guide. You may also find our intrusion prevention systems comparison useful for building a comprehensive security toolkit.

FAQ

Is password cracking legal for self-hosted security auditing?

Yes, password auditing on systems you own or have explicit written authorization to test is legal in most jurisdictions. This includes auditing your own Active Directory, databases, and application user stores. Always obtain documented authorization before testing any system you do not own, and comply with applicable regulations and organizational policies.

Can Hashtopolis and Hashview work together?

No, they are independent platforms. Hashtopolis manages Hashcat agents with distributed job scheduling, while Hashview provides analytics and reporting for cracking results. You could theoretically use both in parallel — running Hashtopolis for job distribution and importing results into Hashview for reporting — but there is no native integration between them.

What hash formats are supported?

All three tools support 300+ hash types through Hashcat’s underlying engine. Common formats include NTLM (Windows), MD5, SHA-256/512, bcrypt, SHA-1, LM, Kerberos TGS-REP (mode 13100), WPA/WPA2 handshakes (mode 2500), RAR, 7-Zip, and ZIP archives. Use hashcat --help to see the full list of supported hash modes with their numeric identifiers.

How many cracking agents can Hashtopolis handle?

Hashtopolis is designed for horizontal scaling and can manage dozens to hundreds of agents simultaneously. The practical limit depends on your MySQL database capacity and network bandwidth. Most organizations run 5-20 agents effectively. Each agent requires a stable network connection to the backend server and a compatible Hashcat installation.

What are the minimum hardware requirements for self-hosted password auditing?

For basic auditing with standalone Hashcat, a machine with a modern GPU (NVIDIA GTX 1060 or better) and 8GB RAM is sufficient. For Hashtopolis deployment, you need a server with 4GB RAM and 2 CPU cores for the backend/frontend services, plus separate cracking nodes with GPUs. Hashview requires similar server specs with 2GB RAM and 1 CPU core minimum.

How do I integrate password audit results with my security workflow?

Hashtopolis provides a REST API (v2) that you can use to programmatically retrieve cracking results, job status, and agent statistics. Hashview supports CSV and JSON export for importing results into SIEM platforms, ticketing systems, or custom dashboards. For standalone Hashcat, you can parse the --outfile results with scripts to automate follow-up actions like forcing password resets for compromised accounts.